Red Hat 7.1 rpc.statd problem

From: Blue Boar (BlueBoarat_private)
Date: Wed Dec 05 2001 - 10:31:46 PST

Next message: maillist: "Re: Proxy bypass in Opera : security related ?"

Previous message: Nick Lange: "Re: IE Denial of service (sorta)"
Next in thread: Chris Ess: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Chris Ess: "Re: Red Hat 7.1 rpc.statd problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a question. It may sound a bit more appropriate for Incidents,
but keep reading.

So, I'm running a Red Hat 7.1 box. I intentionally have many services
running, but I applied all the patches from Red Hat during install, and
I apply any new patches within a few hours of them coming out. I have
this a few times in my messages file:

rpc.statd[496]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220

This is fairly common from what I can see. Lots of people report this,
and it appears that this is what you get after the patches have been
applied, and the attack fails. This is the result of a standard exploit,
and I believe also a worm based on that same exploit. There doesn't
appear to be any evidence of a successful intrusion on my box.

So my question is: If this is a patched version, why the heck is it
trying to look up that name? I'm pretty sure that there
isn't someone out there who has that as a reverse name for PTR
records.

Can anyone help clear up my confusion? Is this just a really bad
patch, or is there still room for exploit, or is this the way
it's supposed to work?

Next message: maillist: "Re: Proxy bypass in Opera : security related ?"
Previous message: Nick Lange: "Re: IE Denial of service (sorta)"
Next in thread: Chris Ess: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Chris Ess: "Re: Red Hat 7.1 rpc.statd problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 11:08:56 PST